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Amendments to the Claims : 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1 . (Currently Amended) A computer-readable medium having embodied thereon a 
computer program configured to determine whether a user is permitted to access a business 
object when executing a software application of an enterprise information technology system, the 
medium comprising one or more code segments configured to: 

use a permission object to determine whether a user associated with an entry in user 
information is permitted to access at least part of a data object associated with a data object type, 
wherein: 

the entry in the user information associates the user with a user affiliation, 
the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type is associated with multiple attributes and each data object having the data object type 
is associated with the multiple attributes, 

a permission attribute identifying one of the multiple attributes,-afid 

a permission value for the permission attribute,-aH4 

an attribute access group having one or more attributes of the multiple attributes 
associated with the data object type, and 

an attribute value group having one or more values associated with the one or 
more attributes in the attribute access group, and 

th e user is permitted to access th e data obj e ct when wherein upon determination that (1) 
the user affiliation that is associated with the user is the same user affiliation as the user 
affiliation to which the permission object applies, (2) the data object type of the data object is the 
same data object type as the data object type to which the permission object applies, and-(3) a 
value of an attribute of the multiple attributes associated with the data object is consistent with 
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the permission value of the permission attribute and the attribute corresponds to the permission 
attribute , (4) at least one attribute of the data object that the user seeks to access corresponds to 
an attribute of the attribute access group of the permission object, and (5) a value of an attribute 
of one of the multiple attributes associated with the data object is consistent with the value of the 
attribute of the attribute value group, the user is permitted to access the attribute sought to be 
accessed and not permitted to access any other of the multiple attributes not corresponding to the 
attribute of the attribute access group . 

2. (Currently amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of the multiple attributes associated with the data object is the same as the 
permission value of the permission attribute. 

3. (Currently amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of the multiple attributes associated with the data object is the within a 
range specified by the permission value of the permission attribute. 

4. (Currently amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of the multiple attributes associated with the data object is one of 
enumerated values specified by the permission value of the permission attribute. 

5-6. (Canceled) 

7. (Currently amended) The medium of claim 1 wherein: 
the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access at least 
part of the data object and perform an action on the data object when the action is consistent with 
the permitted action identified in the permission object. 
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8. (Currently Amended) A method for determining whether a user is permitted to access 
a business object when executing a software application of an enterprise information technology- 
system, the method comprising: 

using a permission object to determine whether a user associated with an entry in user 
information is permitted to access at least part of a data object associated with a data object type, 
wherein: 

the entry in the user information associates the user with a user affiliation, 
the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type is associated with multiple attributes and each data object having the data object type 
is associated with the multiple attributes, 



a permission value for the permission attribute,-an4 

an attribute access group having one or more attributes of the multiple attributes 
associated with the data object type, and 

an attribute value group having one or more values associated with the one or 
more attributes in the attribute access group, and 

th e user is p e rmitt e d to acc e ss th e data object wh e n wherein upon determination that (1) 
the user affiliation that is associated with the user is the same user affiliation as the user 
affiliation to which the permission object applies, (2) the data object type of the data object is the 
same data object type as the data object type to which the permission object applies, and-(3) a 
value of an attribute of the multiple attributes associated with the data object is consistent with 
the permission value of the permission attribute and the attribute corresponds to the permission 
attribute , (4) at least one attribute of the data object that the user seeks to access corresponds to 
an attribute of the attribute access group of the permission object, and (5) a value of an attribute 
of one of the multiple attributes associated with the data object is consistent with the value of the 
attribute of the attribute value group, the user is permitted to access the attribute sought to be 



a permission attribute identifying one of the multiple attributes, and 
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accessed and not permitted to access any other of the multiple attributes not corresponding to the 
attribute of the attribute access group . 

9. (Currently amended) The method of claim 8 further comprising permitting the user to 
access at least part of the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is the same as the permission value of the permission 
attribute. 

10. (Currently amended) The method of claim 8 further comprising permitting the user 
to access at least part of the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is the within a range specified by the permission value 
of the permission attribute. 

1 1 . (Currently amended) The method of claim 8 further comprising permitting the user 
to access at least part of the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is one of enumerated values specified by the permission 
value of the permission attribute. 

12. (Canceled) 

13. (Currently Amended) A computer system for determining whether a user is 
permitted to access at least part of a data object when executing a software application of an 
enterprise information technology system, the system comprising: 

a data repository for access control information for software having data objects, each 
data object (1) being associated with a data object type having multiple attributes, (2) having 
multiple attributes that are the same as the multiple attributes of the data object type to which the 
data object is associated, and (3) having a value associated with each attribute of the multiple 
attributes, the data repository including: 

user information that associates a user affiliation with a user of the software 

application, and 
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permission information having multiple permission objects, each permission 
object identifying a user affiliation to which the permission object applies, a data object 
type to which the permission object applies, a permission attribute identifying one of the 
multiple attributes, and-a permission value for the permission attribute , an attribute access 
group having one or more attributes of the multiple attributes associated with the data 
object type, and an attribute value group having one or more values associated with the 
one or more attributes in the attribute access group ; and 
an executable software module that causes: 

a comparison of a value of an attribute of the multiple attributes associated with a 
data object to which a user seeks to access such that the attribute corresponds to the 
permission attribute of a permission object with the permission value of the permission 
object,-and 

a comparison of at least one attribute of the data object that the user seeks to 
access such that the attribute corresponds to an attribute of the attribute access group of 
the permission object, 

a comparison of a value of an attribute of one of the multiple attributes associated 
with the data object such that the value is consistent with the value of the attribute of the 
attribute value group, and 

an indication that a user is permitted to access a data obj e ct the attribute sought to 
be accessed and not permitted to access any other of the multiple attributes not 
corresponding to the attribute of the attribute access group when (1) the value of the 
attribute associated with the data object is consistent with the permission value of the 
permission object , (2) at least one attribute of the data object that the user seeks to access 
corresponds to an attribute of the attribute access group of the permission object, and (3) 
a value of an attribute of one of the multiple attributes associated with the data object is 
consistent with the value of the attribute of the attribute value group . 



14. (Currently amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access at least part of t he data object when 



Applicant 
Serial No. 
Filed 
Page 



Tom Cheng et al. 
10/720,447 
November 25, 2003 
7 of 12 



Attorney's Docket No.: 13914-033001 / 2003P00877 US 



the value of the attribute of one of the multiple attributes associated with the data object is the 
same as the permission value of the permission attribute. 

15. (Currently amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access at least part of the data object when 
the value of the attribute of one of the multiple attributes associated with the data object is the 
within a range specified by the permission value of the permission attribute. 

16. (Currently amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access at least part of the data object when 
the value of the attribute of one of the multiple attributes associated with the data object is one of 
enumerated values specified by the permission value of the permission attribute. 

17-18. (Canceled) 

19. (Currently amended) The system of claim 13 wherein: 
the permission object identifies a permitted action, and 

the executable software module causes an indication that a user is permitted to access at 
least part of the data object and perform an action on the data object when the action is consistent 
with the permitted action identified in the permission object. 

20. (Currently amended) The medium of claim 1 wherein: 
the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access the at 
least part of data object and perform one or more database operations on the data object when the 
action is consistent with the permitted action identified in the permission object, where the 
database operations comprise create, read, update and delete. 



